mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
change_profile
- fix use of cxt->previous_profile, was changing it instead of searching based off its name, which would could result in use of a stale profile - remove locking of cxt->previous_profile since it is not longer needed - refresh change_profile series of patches
This commit is contained in:
John Johansen
parent
670db9b0a4
commit
84bfd57edf
6 changed files with 182 additions and 88 deletions
|
|
@ -1,20 +1,24 @@
|
|||
Index: b/security/apparmor/main.c
|
||||
===================================================================
|
||||
---
|
||||
security/apparmor/main.c | 251 +++++++++++++++++--------------------------
|
||||
security/apparmor/procattr.c | 5
|
||||
2 files changed, 102 insertions(+), 154 deletions(-)
|
||||
|
||||
--- a/security/apparmor/main.c
|
||||
+++ b/security/apparmor/main.c
|
||||
@@ -934,72 +934,59 @@ repeat:
|
||||
@@ -934,72 +934,52 @@ repeat:
|
||||
}
|
||||
}
|
||||
|
||||
-static int do_change_profile(struct task_struct *task, const char *name,
|
||||
- const char *hat, u64 cookie, struct aa_audit *sa)
|
||||
+static int do_change_profile(struct aa_profile *expected, const char *name,
|
||||
+ u64 cookie, struct aa_audit *sa)
|
||||
+ u64 cookie, int restore, struct aa_audit *sa)
|
||||
{
|
||||
- struct aa_profile *profile = NULL, *previous_profile = NULL,
|
||||
- *name_profile = NULL;
|
||||
- struct aa_task_context *new_cxt, *cxt, *old_cxt = NULL;
|
||||
+ struct aa_profile *profile = NULL, *previous_profile = NULL;
|
||||
+ struct aa_profile *profile = NULL, *old_profile = NULL,
|
||||
+ *previous_profile = NULL;
|
||||
+ struct aa_task_context *new_cxt, *cxt;
|
||||
int error = 0;
|
||||
|
||||
|
|
@ -25,27 +29,29 @@ Index: b/security/apparmor/main.c
|
|||
return -ENOMEM;
|
||||
|
||||
-repeat:
|
||||
if (name) {
|
||||
- if (name) {
|
||||
- if (hat)
|
||||
- profile = aa_find_profile2(name, hat);
|
||||
- else
|
||||
- profile = aa_find_profile(name);
|
||||
+ profile = aa_find_profile(name);
|
||||
if (!profile)
|
||||
- if (!profile)
|
||||
- /* if we name_profile is set then returning
|
||||
- * and return profile has been removed, so go
|
||||
- * unconfined.
|
||||
- */
|
||||
- profile = aa_dup_profile(null_complain_profile);
|
||||
+ profile = aa_dup_profile(null_complain_profile);
|
||||
}
|
||||
- }
|
||||
- cxt = lock_task_and_profiles(task, profile);
|
||||
+ profile = aa_find_profile(name);
|
||||
+ if (!profile && !restore)
|
||||
+ profile = aa_dup_profile(null_complain_profile);
|
||||
+
|
||||
+ cxt = lock_task_and_profiles(current, profile);
|
||||
if (!cxt) {
|
||||
error = -EPERM;
|
||||
goto out;
|
||||
}
|
||||
+ old_profile = cxt->profile;
|
||||
|
||||
- if (!name || (hat && old_cxt && old_cxt != cxt)) {
|
||||
- /* need to find the change_hat name */
|
||||
|
|
@ -64,7 +70,7 @@ Index: b/security/apparmor/main.c
|
|||
- unlock_task_and_profiles(task, cxt, profile);
|
||||
- aa_put_profile(profile);
|
||||
- goto repeat;
|
||||
+ if (cxt->profile != expected) {
|
||||
+ if (cxt->profile != expected || (profile && profile->isstale)) {
|
||||
+ error = -ESTALE;
|
||||
+ goto out;
|
||||
}
|
||||
|
|
@ -82,24 +88,19 @@ Index: b/security/apparmor/main.c
|
|||
}
|
||||
|
||||
- previous_profile = cxt->previous_profile;
|
||||
+ if (name)
|
||||
- } else {
|
||||
+ if (!restore)
|
||||
+ previous_profile = cxt->previous_profile;
|
||||
+ else
|
||||
+ /* profile is null - returning to previous_profile */
|
||||
+ profile = aa_dup_profile(cxt->previous_profile);
|
||||
+ } else if (!name) {
|
||||
+ /* ignore return when their is no previous_profile */
|
||||
+ goto out;
|
||||
} else {
|
||||
+ } else
|
||||
previous_profile = cxt->profile;
|
||||
}
|
||||
- }
|
||||
|
||||
- if ((task->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
|
||||
+ if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
|
||||
error = -EACCES;
|
||||
goto out;
|
||||
}
|
||||
@@ -1015,79 +1002,18 @@ repeat:
|
||||
@@ -1015,79 +995,19 @@ repeat:
|
||||
|
||||
if (APPARMOR_AUDIT(cxt))
|
||||
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
|
||||
|
|
@ -132,7 +133,7 @@ Index: b/security/apparmor/main.c
|
|||
- error = -EPERM;
|
||||
- goto out;
|
||||
- }
|
||||
|
||||
-
|
||||
- /* ignore returning to stored profile when there isn't one */
|
||||
- if (!cxt->previous_profile)
|
||||
- goto out;
|
||||
|
|
@ -152,7 +153,7 @@ Index: b/security/apparmor/main.c
|
|||
- aa_put_profile(previous_profile);
|
||||
- goto repeat;
|
||||
- }
|
||||
-
|
||||
|
||||
- if (cxt->cookie != cookie) {
|
||||
- error = -EACCES;
|
||||
- sa->info = "killing process";
|
||||
|
|
@ -161,7 +162,7 @@ Index: b/security/apparmor/main.c
|
|||
- (void)send_sig_info(SIGKILL, NULL, task);
|
||||
- goto out;
|
||||
- }
|
||||
+ if (name && cookie)
|
||||
+ if (!restore && cookie)
|
||||
+ aa_change_task_context(current, new_cxt, profile, cookie,
|
||||
+ previous_profile);
|
||||
+ else
|
||||
|
|
@ -183,22 +184,40 @@ Index: b/security/apparmor/main.c
|
|||
+ if (aa_task_context(current) != new_cxt)
|
||||
aa_free_task_context(new_cxt);
|
||||
- unlock_task_and_profiles(task, cxt, profile);
|
||||
+ unlock_task_and_profiles(current, cxt, profile);
|
||||
+ task_unlock(current);
|
||||
+ unlock_both_profiles(old_profile, profile);
|
||||
aa_put_profile(profile);
|
||||
return error;
|
||||
}
|
||||
@@ -1113,28 +1039,29 @@ int aa_change_profile(const char *name,
|
||||
@@ -1106,35 +1026,46 @@ out:
|
||||
*/
|
||||
int aa_change_profile(const char *name, u64 cookie)
|
||||
{
|
||||
- struct aa_profile *profile;
|
||||
+ struct aa_task_context *cxt;
|
||||
+ struct aa_profile *profile, *previous_profile;
|
||||
struct aa_audit sa;
|
||||
int error = 0;
|
||||
|
||||
memset(&sa, 0, sizeof(sa));
|
||||
sa.gfp_mask = GFP_ATOMIC;
|
||||
sa.cookie = cookie;
|
||||
- sa.name = name;
|
||||
sa.operation = "change_profile";
|
||||
|
||||
+repeat:
|
||||
profile = aa_get_profile(current);
|
||||
if (!profile)
|
||||
- profile = aa_get_profile(current);
|
||||
- if (!profile)
|
||||
- /* an unconfined process can not change_profile */
|
||||
+repeat:
|
||||
+ task_lock(current);
|
||||
+ cxt = aa_task_context(current);
|
||||
+ if (!cxt) {
|
||||
+ task_unlock(current);
|
||||
return -EPERM;
|
||||
+ }
|
||||
+ profile = aa_dup_profile(cxt->profile);
|
||||
+ previous_profile = aa_dup_profile(cxt->previous_profile);
|
||||
+ task_unlock(current);
|
||||
|
||||
if (name) {
|
||||
if (profile != null_complain_profile &&
|
||||
|
|
@ -209,15 +228,18 @@ Index: b/security/apparmor/main.c
|
|||
aa_put_profile(profile);
|
||||
return -EACCES;
|
||||
}
|
||||
-
|
||||
+ error = do_change_profile(profile, name, cookie, 0, &sa);
|
||||
+ } else if (previous_profile)
|
||||
+ error = do_change_profile(profile, previous_profile->name,
|
||||
+ cookie, 1, &sa);
|
||||
+ /* else ignore restores when there is no saved profile */
|
||||
|
||||
- error = do_change_profile(current, name, NULL, cookie, &sa);
|
||||
- } else {
|
||||
- error = do_restore_profile(current, cookie, &sa);
|
||||
- }
|
||||
+ error = do_change_profile(profile, name, cookie, &sa);
|
||||
+ } else
|
||||
+ error = do_change_profile(profile, NULL, cookie, &sa);
|
||||
|
||||
-
|
||||
+ aa_put_profile(previous_profile);
|
||||
aa_put_profile(profile);
|
||||
+ if (error == -ESTALE)
|
||||
+ goto repeat;
|
||||
|
|
@ -225,7 +247,7 @@ Index: b/security/apparmor/main.c
|
|||
return error;
|
||||
}
|
||||
|
||||
@@ -1151,22 +1078,55 @@ int aa_change_profile(const char *name,
|
||||
@@ -1151,22 +1082,53 @@ int aa_change_profile(const char *name,
|
||||
*/
|
||||
int aa_change_hat(const char *hat_name, u64 cookie)
|
||||
{
|
||||
|
|
@ -240,6 +262,13 @@ Index: b/security/apparmor/main.c
|
|||
- sa.name = hat_name;
|
||||
sa.operation = "change_hat";
|
||||
|
||||
- /* FIXME: there is currently no way to tell if a profile doesn't have
|
||||
- * hats so that we can return -ECHILD
|
||||
- */
|
||||
- if (hat_name)
|
||||
- error = do_change_profile(current, NULL, hat_name, cookie, &sa);
|
||||
- else
|
||||
- error = do_restore_profile(current, cookie, &sa);
|
||||
+repeat:
|
||||
+ task_lock(current);
|
||||
+ cxt = aa_task_context(current);
|
||||
|
|
@ -247,14 +276,6 @@ Index: b/security/apparmor/main.c
|
|||
+ task_unlock(current);
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
/* FIXME: there is currently no way to tell if a profile doesn't have
|
||||
* hats so that we can return -ECHILD
|
||||
*/
|
||||
- if (hat_name)
|
||||
- error = do_change_profile(current, NULL, hat_name, cookie, &sa);
|
||||
- else
|
||||
- error = do_restore_profile(current, cookie, &sa);
|
||||
+
|
||||
+ profile = aa_dup_profile(cxt->profile);
|
||||
+ previous_profile = aa_dup_profile(cxt->previous_profile);
|
||||
+ task_unlock(current);
|
||||
|
|
@ -273,10 +294,12 @@ Index: b/security/apparmor/main.c
|
|||
+ goto out;
|
||||
+ }
|
||||
+ sprintf(name, "%s//%s", profile_name, hat_name);
|
||||
+ error = do_change_profile(profile, name, cookie, &sa);
|
||||
+ error = do_change_profile(profile, name, cookie, 0, &sa);
|
||||
+ kfree(name);
|
||||
+ } else
|
||||
+ error = do_change_profile(profile, NULL, cookie, &sa);
|
||||
+ } else if (previous_profile)
|
||||
+ error = do_change_profile(profile, previous_profile->name,
|
||||
+ cookie, 1, &sa);
|
||||
+ /* else ignore restores when there is no saved profile */
|
||||
+
|
||||
+out:
|
||||
+ aa_put_profile(previous_profile);
|
||||
|
|
@ -286,8 +309,79 @@ Index: b/security/apparmor/main.c
|
|||
|
||||
return error;
|
||||
}
|
||||
Index: b/security/apparmor/procattr.c
|
||||
===================================================================
|
||||
@@ -1193,13 +1155,15 @@ struct aa_profile *__aa_replace_profile(
|
||||
|
||||
cxt = lock_task_and_profiles(task, profile);
|
||||
if (unlikely(profile && profile->isstale)) {
|
||||
- unlock_task_and_profiles(task, cxt, profile);
|
||||
+ task_unlock(task);
|
||||
+ unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
|
||||
aa_free_task_context(new_cxt);
|
||||
return ERR_PTR(-ESTALE);
|
||||
}
|
||||
|
||||
if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
|
||||
- unlock_task_and_profiles(task, cxt, profile);
|
||||
+ task_unlock(task);
|
||||
+ unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
|
||||
aa_free_task_context(new_cxt);
|
||||
return ERR_PTR(-EPERM);
|
||||
}
|
||||
@@ -1208,7 +1172,8 @@ struct aa_profile *__aa_replace_profile(
|
||||
old_profile = aa_dup_profile(cxt->profile);
|
||||
aa_change_task_context(task, new_cxt, profile, 0, NULL);
|
||||
|
||||
- unlock_task_and_profiles(task, cxt, profile);
|
||||
+ task_unlock(task);
|
||||
+ unlock_both_profiles(profile, old_profile);
|
||||
return old_profile;
|
||||
}
|
||||
|
||||
@@ -1228,16 +1193,13 @@ lock_task_and_profiles(struct task_struc
|
||||
{
|
||||
struct aa_task_context *cxt;
|
||||
struct aa_profile *old_profile = NULL;
|
||||
- int lock_token = !profile;
|
||||
|
||||
rcu_read_lock();
|
||||
repeat:
|
||||
cxt = aa_task_context(task);
|
||||
- if (cxt) {
|
||||
+ if (cxt)
|
||||
old_profile = cxt->profile;
|
||||
- if (lock_token)
|
||||
- profile = cxt->previous_profile;
|
||||
- }
|
||||
+
|
||||
lock_both_profiles(profile, old_profile);
|
||||
task_lock(task);
|
||||
|
||||
@@ -1246,25 +1208,12 @@ repeat:
|
||||
task_unlock(task);
|
||||
unlock_both_profiles(profile, old_profile);
|
||||
old_profile = NULL;
|
||||
- if (lock_token)
|
||||
- profile = NULL;
|
||||
goto repeat;
|
||||
}
|
||||
rcu_read_unlock();
|
||||
return cxt;
|
||||
}
|
||||
|
||||
-void unlock_task_and_profiles(struct task_struct *task,
|
||||
- struct aa_task_context *cxt,
|
||||
- struct aa_profile *profile)
|
||||
-{
|
||||
- task_unlock(task);
|
||||
- if (cxt && !profile)
|
||||
- profile = cxt->previous_profile;
|
||||
- unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
|
||||
-}
|
||||
-
|
||||
-
|
||||
static void free_aa_task_context_rcu_callback(struct rcu_head *head)
|
||||
{
|
||||
struct aa_task_context *cxt;
|
||||
--- a/security/apparmor/procattr.c
|
||||
+++ b/security/apparmor/procattr.c
|
||||
@@ -27,7 +27,6 @@ int aa_getprocattr(struct aa_profile *pr
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
|
||||
--- a/security/apparmor/main.c
|
||||
+++ b/security/apparmor/main.c
|
||||
@@ -715,7 +715,7 @@ repeat:
|
||||
@@ -730,7 +730,7 @@ repeat:
|
||||
|
||||
/* No need to grab the child's task lock here. */
|
||||
aa_change_task_context(child, child_cxt, profile,
|
||||
|
|
@ -122,7 +122,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
unlock_profile(profile);
|
||||
|
||||
if (APPARMOR_COMPLAIN(child_cxt) &&
|
||||
@@ -946,12 +946,196 @@ repeat:
|
||||
@@ -961,12 +961,196 @@ repeat:
|
||||
aa_put_profile(profile);
|
||||
goto repeat;
|
||||
}
|
||||
|
|
@ -320,7 +320,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
/**
|
||||
* do_change_hat - actually switch hats
|
||||
* @hat_name: name of hat to switch to
|
||||
@@ -1091,10 +1275,6 @@ int aa_change_hat(const char *hat_name,
|
||||
@@ -1106,10 +1290,6 @@ int aa_change_hat(const char *hat_name,
|
||||
cxt->hat_magic, &sa);
|
||||
}
|
||||
} else if (cxt->hat_magic) {
|
||||
|
|
@ -331,7 +331,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
} else { /* cxt->hat_magic == 0 */
|
||||
sa.info = "killing process confined to current hat";
|
||||
aa_audit_status(profile, &sa);
|
||||
@@ -1107,8 +1287,7 @@ int aa_change_hat(const char *hat_name,
|
||||
@@ -1122,8 +1302,7 @@ int aa_change_hat(const char *hat_name,
|
||||
out:
|
||||
if (aa_task_context(current) != new_cxt)
|
||||
aa_free_task_context(new_cxt);
|
||||
|
|
@ -341,7 +341,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
return error;
|
||||
}
|
||||
|
||||
@@ -1116,14 +1295,12 @@ out:
|
||||
@@ -1131,14 +1310,12 @@ out:
|
||||
* __aa_replace_profile - replace a task's profile
|
||||
* @task: task to switch the profile of
|
||||
* @profile: profile to switch to
|
||||
|
|
@ -357,7 +357,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
{
|
||||
struct aa_task_context *cxt, *new_cxt = NULL;
|
||||
struct aa_profile *old_profile = NULL;
|
||||
@@ -1136,34 +1313,29 @@ struct aa_profile *__aa_replace_profile(
|
||||
@@ -1151,34 +1328,29 @@ struct aa_profile *__aa_replace_profile(
|
||||
|
||||
cxt = lock_task_and_profiles(task, profile);
|
||||
if (unlikely(profile && profile->isstale)) {
|
||||
|
|
@ -400,7 +400,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
*
|
||||
* Handle the spinning on locking to make sure the task context and
|
||||
* profile are consistent once all locks are aquired.
|
||||
@@ -1176,12 +1348,16 @@ lock_task_and_profiles(struct task_struc
|
||||
@@ -1191,12 +1363,16 @@ lock_task_and_profiles(struct task_struc
|
||||
{
|
||||
struct aa_task_context *cxt;
|
||||
struct aa_profile *old_profile = NULL;
|
||||
|
|
@ -418,7 +418,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
lock_both_profiles(profile, old_profile);
|
||||
task_lock(task);
|
||||
|
||||
@@ -1189,12 +1365,26 @@ repeat:
|
||||
@@ -1204,12 +1380,26 @@ repeat:
|
||||
if (unlikely(cxt != aa_task_context(task))) {
|
||||
task_unlock(task);
|
||||
unlock_both_profiles(profile, old_profile);
|
||||
|
|
@ -445,7 +445,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
static void free_aa_task_context_rcu_callback(struct rcu_head *head)
|
||||
{
|
||||
struct aa_task_context *cxt;
|
||||
@@ -1208,11 +1398,13 @@ static void free_aa_task_context_rcu_cal
|
||||
@@ -1223,11 +1413,13 @@ static void free_aa_task_context_rcu_cal
|
||||
* @task: task that is having its task context changed
|
||||
* @new_cxt: new task context to use after the switch
|
||||
* @profile: new profile to use after the switch
|
||||
|
|
@ -461,7 +461,7 @@ change_hat-to-change_profile - convert change_hat to use change_profile
|
|||
{
|
||||
struct aa_task_context *old_cxt = aa_task_context(task);
|
||||
|
||||
@@ -1224,9 +1416,10 @@ void aa_change_task_context(struct task_
|
||||
@@ -1239,9 +1431,10 @@ void aa_change_task_context(struct task_
|
||||
/* clear the caps_logged cache, so that new profile/hat has
|
||||
* chance to emit its own set of cap messages */
|
||||
new_cxt->caps_logged = CAP_EMPTY_SET;
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@
|
|||
}
|
||||
--- a/security/apparmor/main.c
|
||||
+++ b/security/apparmor/main.c
|
||||
@@ -323,8 +323,8 @@ static int aa_audit_base(struct aa_profi
|
||||
@@ -343,8 +343,8 @@ static int aa_audit_base(struct aa_profi
|
||||
audit_log_untrustedstring(ab, sa->name2);
|
||||
}
|
||||
|
||||
|
|
@ -85,7 +85,7 @@
|
|||
|
||||
audit_log_format(ab, " pid=%d", current->pid);
|
||||
|
||||
@@ -677,7 +677,7 @@ repeat:
|
||||
@@ -697,7 +697,7 @@ repeat:
|
||||
|
||||
/* No need to grab the child's task lock here. */
|
||||
aa_change_task_context(child, child_cxt, profile,
|
||||
|
|
@ -94,7 +94,7 @@
|
|||
unlock_profile(profile);
|
||||
|
||||
if (APPARMOR_COMPLAIN(child_cxt) &&
|
||||
@@ -915,9 +915,9 @@ repeat:
|
||||
@@ -935,9 +935,9 @@ repeat:
|
||||
}
|
||||
|
||||
static int do_change_profile(struct task_struct *task, const char *name,
|
||||
|
|
@ -106,7 +106,7 @@
|
|||
*name_profile = NULL;
|
||||
struct aa_task_context *new_cxt, *cxt, *old_cxt = NULL;
|
||||
int error = 0;
|
||||
@@ -948,8 +948,8 @@ repeat:
|
||||
@@ -968,8 +968,8 @@ repeat:
|
||||
if (!name || (hat && old_cxt && old_cxt != cxt)) {
|
||||
/* need to find the change_hat name */
|
||||
aa_put_profile(name_profile);
|
||||
|
|
@ -117,7 +117,7 @@
|
|||
else
|
||||
name_profile = aa_dup_profile(cxt->profile);
|
||||
name = name_profile->name;
|
||||
@@ -964,8 +964,8 @@ repeat:
|
||||
@@ -984,8 +984,8 @@ repeat:
|
||||
goto repeat;
|
||||
}
|
||||
|
||||
|
|
@ -128,7 +128,7 @@
|
|||
error = -EACCES;
|
||||
sa->info = "killing process";
|
||||
aa_audit_reject(profile, sa);
|
||||
@@ -974,9 +974,9 @@ repeat:
|
||||
@@ -994,9 +994,9 @@ repeat:
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
@ -140,7 +140,7 @@
|
|||
}
|
||||
|
||||
if ((task->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
|
||||
@@ -995,7 +995,8 @@ repeat:
|
||||
@@ -1015,7 +1015,8 @@ repeat:
|
||||
|
||||
if (APPARMOR_AUDIT(cxt))
|
||||
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
|
||||
|
|
@ -150,7 +150,7 @@
|
|||
|
||||
out:
|
||||
if (aa_task_context(task) != new_cxt)
|
||||
@@ -1006,7 +1007,7 @@ out:
|
||||
@@ -1026,7 +1027,7 @@ out:
|
||||
return error;
|
||||
}
|
||||
|
||||
|
|
@ -159,7 +159,7 @@
|
|||
struct aa_audit *sa)
|
||||
{
|
||||
struct aa_profile *profile = NULL;
|
||||
@@ -1025,25 +1026,26 @@ repeat:
|
||||
@@ -1045,25 +1046,26 @@ repeat:
|
||||
}
|
||||
|
||||
/* ignore returning to stored profile when there isn't one */
|
||||
|
|
@ -194,7 +194,7 @@
|
|||
error = -EACCES;
|
||||
sa->info = "killing process";
|
||||
aa_audit_reject(profile, sa);
|
||||
@@ -1074,15 +1076,15 @@ out:
|
||||
@@ -1094,15 +1096,15 @@ out:
|
||||
/**
|
||||
* aa_change_profile - change profile to/from previous stored profile
|
||||
* @name: name of profile to change to
|
||||
|
|
@ -215,7 +215,7 @@
|
|||
{
|
||||
struct aa_profile *profile;
|
||||
struct aa_audit sa;
|
||||
@@ -1090,7 +1092,7 @@ int aa_change_profile(const char *name,
|
||||
@@ -1110,7 +1112,7 @@ int aa_change_profile(const char *name,
|
||||
|
||||
memset(&sa, 0, sizeof(sa));
|
||||
sa.gfp_mask = GFP_ATOMIC;
|
||||
|
|
@ -224,7 +224,7 @@
|
|||
sa.name = name;
|
||||
sa.operation = "change_profile";
|
||||
|
||||
@@ -1107,9 +1109,9 @@ int aa_change_profile(const char *name,
|
||||
@@ -1127,9 +1129,9 @@ int aa_change_profile(const char *name,
|
||||
return -EACCES;
|
||||
}
|
||||
|
||||
|
|
@ -236,7 +236,7 @@
|
|||
}
|
||||
|
||||
aa_put_profile(profile);
|
||||
@@ -1119,22 +1121,22 @@ int aa_change_profile(const char *name,
|
||||
@@ -1139,22 +1141,22 @@ int aa_change_profile(const char *name,
|
||||
/**
|
||||
* aa_change_hat - change hat to/from subprofile
|
||||
* @hat_name: hat to change to
|
||||
|
|
@ -263,7 +263,7 @@
|
|||
sa.name = hat_name;
|
||||
sa.operation = "change_hat";
|
||||
|
||||
@@ -1142,9 +1144,9 @@ int aa_change_hat(const char *hat_name,
|
||||
@@ -1162,9 +1164,9 @@ int aa_change_hat(const char *hat_name,
|
||||
* hats so that we can return -ECHILD
|
||||
*/
|
||||
if (hat_name)
|
||||
|
|
@ -275,7 +275,7 @@
|
|||
|
||||
return error;
|
||||
}
|
||||
@@ -1214,7 +1216,7 @@ repeat:
|
||||
@@ -1234,7 +1236,7 @@ repeat:
|
||||
if (cxt) {
|
||||
old_profile = cxt->profile;
|
||||
if (lock_token)
|
||||
|
|
@ -284,7 +284,7 @@
|
|||
}
|
||||
lock_both_profiles(profile, old_profile);
|
||||
task_lock(task);
|
||||
@@ -1238,7 +1240,7 @@ void unlock_task_and_profiles(struct tas
|
||||
@@ -1258,7 +1260,7 @@ void unlock_task_and_profiles(struct tas
|
||||
{
|
||||
task_unlock(task);
|
||||
if (cxt && !profile)
|
||||
|
|
@ -293,7 +293,7 @@
|
|||
unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
|
||||
}
|
||||
|
||||
@@ -1256,13 +1258,13 @@ static void free_aa_task_context_rcu_cal
|
||||
@@ -1276,13 +1278,13 @@ static void free_aa_task_context_rcu_cal
|
||||
* @task: task that is having its task context changed
|
||||
* @new_cxt: new task context to use after the switch
|
||||
* @profile: new profile to use after the switch
|
||||
|
|
@ -311,7 +311,7 @@
|
|||
{
|
||||
struct aa_task_context *old_cxt = aa_task_context(task);
|
||||
|
||||
@@ -1274,10 +1276,10 @@ void aa_change_task_context(struct task_
|
||||
@@ -1294,10 +1296,10 @@ void aa_change_task_context(struct task_
|
||||
/* clear the caps_logged cache, so that new profile/hat has
|
||||
* chance to emit its own set of cap messages */
|
||||
new_cxt->caps_logged = CAP_EMPTY_SET;
|
||||
|
|
|
|||
|
|
@ -182,7 +182,7 @@
|
|||
void aa_profilelist_release(void)
|
||||
--- a/security/apparmor/main.c
|
||||
+++ b/security/apparmor/main.c
|
||||
@@ -205,42 +205,6 @@ static int aa_perm_dentry(struct aa_prof
|
||||
@@ -204,42 +204,6 @@ static int aa_perm_dentry(struct aa_prof
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -225,7 +225,7 @@
|
|||
* alloc_null_complain_profile - Allocate the global null_complain_profile.
|
||||
*
|
||||
* Return %0 (success) or error (-%ENOMEM)
|
||||
@@ -258,8 +222,6 @@ int alloc_null_complain_profile(void)
|
||||
@@ -257,8 +221,6 @@ int alloc_null_complain_profile(void)
|
||||
goto fail;
|
||||
|
||||
null_complain_profile->flags.complain = 1;
|
||||
|
|
@ -234,7 +234,7 @@
|
|||
|
||||
return 0;
|
||||
|
||||
@@ -361,14 +323,14 @@ static int aa_audit_base(struct aa_profi
|
||||
@@ -381,14 +343,14 @@ static int aa_audit_base(struct aa_profi
|
||||
audit_log_untrustedstring(ab, sa->name2);
|
||||
}
|
||||
|
||||
|
|
@ -252,7 +252,7 @@
|
|||
}
|
||||
|
||||
audit_log_end(ab);
|
||||
@@ -857,7 +819,7 @@ repeat:
|
||||
@@ -877,7 +839,7 @@ repeat:
|
||||
if (IS_ERR(new_profile))
|
||||
goto cleanup;
|
||||
|
||||
|
|
@ -261,7 +261,7 @@
|
|||
if (IS_ERR(old_profile)) {
|
||||
aa_put_profile(new_profile);
|
||||
aa_put_profile(profile);
|
||||
@@ -953,10 +915,11 @@ repeat:
|
||||
@@ -973,10 +935,11 @@ repeat:
|
||||
}
|
||||
|
||||
static int do_change_profile(struct task_struct *task, const char *name,
|
||||
|
|
@ -276,7 +276,7 @@
|
|||
int error = 0;
|
||||
|
||||
new_cxt = aa_alloc_task_context(GFP_KERNEL);
|
||||
@@ -964,21 +927,38 @@ static int do_change_profile(struct task
|
||||
@@ -984,21 +947,38 @@ static int do_change_profile(struct task
|
||||
return -ENOMEM;
|
||||
|
||||
repeat:
|
||||
|
|
@ -324,7 +324,7 @@
|
|||
unlock_task_and_profiles(task, cxt, profile);
|
||||
aa_put_profile(profile);
|
||||
goto repeat;
|
||||
@@ -1022,6 +1002,7 @@ out:
|
||||
@@ -1042,6 +1022,7 @@ out:
|
||||
aa_free_task_context(new_cxt);
|
||||
unlock_task_and_profiles(task, cxt, profile);
|
||||
aa_put_profile(profile);
|
||||
|
|
@ -332,7 +332,7 @@
|
|||
return error;
|
||||
}
|
||||
|
||||
@@ -1126,7 +1107,7 @@ int aa_change_profile(const char *name,
|
||||
@@ -1146,7 +1127,7 @@ int aa_change_profile(const char *name,
|
||||
return -EACCES;
|
||||
}
|
||||
|
||||
|
|
@ -341,7 +341,7 @@
|
|||
} else {
|
||||
error = do_restore_profile(current, token, &sa);
|
||||
}
|
||||
@@ -1135,159 +1116,36 @@ int aa_change_profile(const char *name,
|
||||
@@ -1155,159 +1136,36 @@ int aa_change_profile(const char *name,
|
||||
return error;
|
||||
}
|
||||
|
||||
|
|
@ -513,7 +513,7 @@
|
|||
return error;
|
||||
}
|
||||
|
||||
@@ -1420,7 +1278,7 @@ void aa_change_task_context(struct task_
|
||||
@@ -1440,7 +1298,7 @@ void aa_change_task_context(struct task_
|
||||
new_cxt->task = task;
|
||||
new_cxt->profile = aa_dup_profile(profile);
|
||||
new_cxt->token_profile = aa_dup_profile(token_profile);
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ unused.diff
|
|||
do_path_lookup-nameidata.diff
|
||||
sys_fchdir-nameidata.diff
|
||||
file_permission-nameidata.diff
|
||||
foobar.diff
|
||||
#foobar.diff
|
||||
# # NOT YET
|
||||
# ecryptfs-d_revalidate.diff
|
||||
# nfs-nameidata-check.diff
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
--- a/security/apparmor/apparmor.h
|
||||
+++ b/security/apparmor/apparmor.h
|
||||
@@ -218,9 +218,6 @@ extern int aa_change_hat(const char *id,
|
||||
extern int aa_change_profile(const char *name);
|
||||
extern int aa_change_profile(const char *name, u64 cookie);
|
||||
extern struct aa_profile *__aa_find_profile(const char *name,
|
||||
struct list_head *list);
|
||||
-extern struct aa_profile *__aa_find_profile2(const char *name,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue